| changeset | 9c3ec0a5c7fc |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | chore: remove __future print_funcion from code. Not needed as of Python 3. |
| files |
| changeset | 166cb2632315 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551413 - Broken MultiLink columns in CSV export (take 2) Changed how I solved this. Restored the original line that cmeerw took out, but use the 'id' field rather than the 'name' field. The if statements folowing the line change it to the 'name' field (realname if it's a user object): if there is one. Updated the tests to test for this error and exercise the code. I had to change the test to create/add messages to an issue. This required that I suppress the sending of nosy messages using SENDMAILDEBUG env var. |
| files |
| changeset | 224ccb8b49ca |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | refactor: change some classes to use __slots__ Speed up access to and reduce size of some low level classes. A few classes in security.py, rest.py are heavily used. But for all, it prevents adding random properties to lower level classes that people shouldn't be mucking with. While doing this I found some test cases accessing an invalid property name and this change caused the cases to crash. admin.py: Use new method Role.props_dict() and Permission.props_dict() where original code just referenced __dict__ when printing Role/Permission. mlink_expr.py: Add slots to multiple classes. Classes Binary and Unary set real properties/attributes. Classes that inherit from them (Equals, Empty, Not, Or, And) define empty slots tuple to eliminate need for __dict__. Class Expression also gets a slot. rate_limit.py: RateLimit and Gcra classes get slots. A couple of pep8 fixes: sort imports, remove trailing spaces on a line, remove unused noqa comment. rest.py: Add slots to class SimulateFieldStorageFromJson and FsValue classes. The memory savings from this could be useful as well as speedier access to the attributes. security.py: Add slots to Permission class. To prevent conflict between slot limit_perm_to_props_only and the class variable of the same name, rename the class variable to limit_perm_to_props_only_default. Also define method props_dict() to allow other code to get a dict to iterate over when checking permissions. Add slots to class Role along with props_dict() method. Add slots to class Security. Also have to add explicit __dict__ slot to support test override of the hasPermission() method. Add props_dict() method, currently unused, but added for symmetry. support.py: TruthDict and PrioList gets slots. test/test_cgi.py: Fix incorrect setting of permission property. Was setting permissions. So testing may not have been doing what we thought it was. Multiple places found with this typo. Remove setting of permissions in some places where it should have no effect on the test and looks like it was just copypasta. test/test_xmlrpc.py Remove setting of permissions in some places where it should have no effect on the test and looks like it was just copypasta. |
| files |
| changeset | b07165add61b |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix(web): issue2551406 - dont crash when handed invalid @template=a|b|c Only two template cases (ok and error) are handled. Presence of second '|' caused crash. Discovered/patch provided by Christof Meerwald (cmeerw). |
| files |
| changeset | 669dfccca898 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551391 - checkboxes and radiobutton inputs get wrong id's. Actually it breaks automatic id assignment for all inputs. Inputs now get an automatic id assignment that matches the name. It can be overridden by supplting an id parameter in the call to the field() method. This is also a partial fix for issue1513369. I think it obsoletes the changes to templating.py. |
| files |
| changeset | 05d8806b25ad |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix: issue2551387 - TypeError: not indexable. Fix crash due to uninitialized list element on a (Mini)FieldStorage when unexpected input is posted via wsgi. This doesn't happen when running roundup-server. It might happen under other front ends. Moved the code that sets '.list = [] if .list == None' to the main flow. Added an exception hander that logs the value of self.form if self.form.list raises an AttributeError. This exception should never happen if I understand the code correctly (but I probably don't). Fixed a number of test cases that were broken because I was calling Client and passing '[]' rather than a cgi.formStorage object. Added test cases: create a FileStorage (self.form) with .list = None. check AttributeError exception and verify logging. Problem reported and debugged by Christof Meerwald. |
| files |
| changeset | 35beff316883 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix(api): issue2551384. Verify REST authorization earlier To reduce the ability of bad actors to spam (DOS) the REST endpoint with bad data and generate logs meant for debugging, modify the flow in client.py's REST handler to verify authorization earlier. If the anonymous user is allowed to use REST, this won't make a difference for a DOS attempt. The templates don't enable REST for the anonymous user by default. Most admins don't change this. The validation order for REST requests has been changed. CORS identfied an handled User authorization to use REST (return 403 on failure) REST request validated (Origin header valid etc.) (return 400 for bad request) Incorrectly formatted CORS preflight requests (e.g. missing Origin header) that are not recogized as a CORS request can now return HTTP status 403 as well as status 400 (when anonymous is allowed access). Note all CORS preflights are sent without authentication so appear as anonymous requests. The tests were updated to compensate, but it is not obvious to me from specs what the proper evaulation order/return codes should be for this case. Both 403/400 are failures and cause CORS to fail so there should be no difference but... |
| files |
| changeset | 0242cf22ef74 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | test: fix failing test setup for change in PBKDF2 rounds. |
| files |
| changeset | e84d4585b16d |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix(web): issue2551356. Add etag header for not-modified (304) request. When a 304 is returned to a conditional request for a static file, print an ETag for the response. ETag was always sent with a 200 response. This also adds initial support for if-none-match conditional requests for static files. Changes: Refactors the if-modified-since code out to a method. It moves a file stat call from serve_static_file to _serve_file so that an etag can be generated by both serve_static_file and serve_file which call _serve_file. Tests added. This does not test the codepath where serve_file pulls content from the database rather than from a local file on disk. Test mocking _serve_file changed to account for 5th argument to serve_file BREAKING CHANGE: function signature for client.py-Client::_serve_file() now has 5 not 4 parameters (added etag param). Since this is a "hidden" method I am not too worried about it. |
| files |
| changeset | 603aa730b067 |
|---|---|
| branch | permission-performance |
| bookmark | |
| tag | |
| user | Ralf Schlatterbeck <rsc@runtux.com> |
| description | Fix failing test due to mokey patching An earlier test monkey-patched the permission checks which subsequently failed in another test. |
| files |
| changeset | e44b65651012 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | test: correct checksum for changed template A change I made to disable spellcheck in user.item.html caused the render funxtion to generate a diferent sha1 checksum. The test looks for the checksum. Update to the new checkum after the change. |
| files |
| changeset | 28aa76443f58 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125 Directions for fixing: * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing tracker homes. * `CVE-2024-39125`_ - :ref:`if Referer header is set to a script tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0, directions available for fixing in prior versions. * `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from an issue can contain embedded JavaScript which is executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions available for fixing in prior versions. prior to 2.4.0 release this weekend that fixes the last two CVE's. |
| files |
| changeset | 470616e64414 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551334 - get test suite running under windows Fix test_cgi under windows. Few classes of errors: 1) comparing paths with a/b (unix) to a\b (windows). Use normpath to fix it. Also change regexps used for path matching to use either \ or / for directory separators. 2) database not being closed preventing deletion of test case directory. Windows doesn't allow deletion of open files. In some cases replaced calling client.inner_mail() with main() because main() makes sure to close the database. In other cases assigned self.db = client.db beacuse client reopens the database and closes the original self.db. Reassigning allows tearDown to close the last opened handle to a db. 3) commit the admin password to the database. If it's not commited calling the code sometimes comes up with a different admin password. Not sure why we don't see this on linux. 4) run commit() on database so that sqlite databases can be closed and deleted. Unit tests don't call the main entry points that have finally clauses to close the databases properly, so do it in the test. 5) split tests that try to resolve symbolic links in the template directory to a separate method. Under windows user needs special permissions to creae symbolic links, so I report the method is skipped if creating a link fails. |
| files |
| changeset | a430339f55e6 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | test: map assertRegexpMatches to assertRegex for python2 |
| files |
| changeset | e90be54708e9 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | test: add test for bare % in expanded file. |
| files |
| changeset | 219fc5804345 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551270 - Better templating support for JavaScript Add (templating) utils.readfile(file, optional=False) and utils.expandfile(file, token_dict=None, optional=False). Allows reading an external file (e.g. JavaScript) and inserting it using tal:contents or equivalent jinja function. expandfile allows setting a dictionary and tokens in the file of the form "%(token_name)s" will be replaced in the file with the values from the dict. See method doc blocks or reference.txt for more info. Also reordered table in references.txt to be case sensitive alphabetic. Added a paragraph on using python's help() to get method/function/... documention blocks. in templating.py _find method. Added explicit return None calls to all code paths. Also added internationalization method to the TemplatingUtils class. Fixed use of 'property' hiding python builtin of same name. Added tests for new TemplatingUtils framework to use for testing existing utils. |
| files |
| changeset | 978285986b2c |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix: issue2551193 - Fix roundup for removal of cgi and cgitb ... standard python modules (and FieldStorage/MiniFieldStorage). Vendor cgi.py and modify imports. Details: roundup/anypy/cgi_.py import that accesses a working cgi.py. All imports dealing with cgi now use cgi_. roundup/anypy/vendored/cgi.py vendored version 2.6 of cgi.py from: https://pypi.org/project/legacy-cgi/ CHANGES.txt change note added COPYING.txt added license for cgi.py doc/rest.txt change example to use cgi_ doc/upgrading.txt doc removal and how to rework local code using cgi.py. frontends/roundup.cgi remove unneeded cgi import roundup/cgi/actions.py roundup/cgi/apache.py roundup/cgi/client.py roundup/cgi/templating.py roundup/cgi/TAL/TALGenerator.py test/db_test_base.py test/rest_common.py test/test_cgi.py remove import cgi and replace with from roundup.anypy.cgi_ import cgi test/test_actions.py test/test_templating.py modify import to get *FieldStorage test/test_admin.py test/test_hyperdbvals.py test/test_xmlrpc.py remove unneeded cgi import |
| files |
| changeset | 8b2287d850c8 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Fix round check/settings in needs_migration Support test rounds in needs_migration Two test were missing os.environ seting to have them use config setting. |
| files |
| changeset | 1549c7e74ef8 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update Fixed a couple of tests where calls to needs_migration() was missing its config parameter. Documented need to update config.ini's password_pbkdf2_default_rounds. |
| files |
| changeset | 5487882ff17a |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Fix test failure when run alone. testPasswordMigration was failing when run pytest -k testPasswordMigration. Was always failing on third test. When run as part of whole FormTestCase class it worked. Fixed it by: Using cl.db after call to actions.LoginAction. Make sure to set cl.db.Otk = self.db.Otk before calling LoginAction. Add real Otk database and not a mock to a couple of db's. Without this the third element in the loop (crypt at this point) still has the old vale when eading from db. I think this is due to the original cl.db being closed inside LoginAction (to re-open db using new user's credentials cl.db.ptimize is not set). I think the old self.db is returning the cached values. At least that's my guess. |
| files |
| changeset | ed63b6d35838 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Add 'Access-Control-Expose-Headers' to a couple of tests. |
| files |
| changeset | 89a59e46b3af |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | improve REST interface security When using REST, we reflect the client's origin. If the wildcard '*' is used in allowed_api_origins all origins are allowed. When this is done, it also added an 'Access-Control-Allow-Credentials: true' header. This Credentials header should not be added if the site is matched only by '*'. This header should be provided only for explicit origins (e.g. https://example.org) not for the wildcard. This is now fixed for CORS preflight OPTIONS request as well as normal GET, PUT, DELETE, POST, PATCH and OPTIONS requests. A missing Access-Control-Allow-Credentials will prevent the tracker from being accessed using credentials. This prevents an unauthorized third party web site from using a user's credentials to access information in the tracker that is not publicly available. Added test for this specific case. In addition, allowed_api_origins can include explicit origins in addition to '*'. '*' must be first in the list. Also adapted numerous tests to work with these changes. Doc updates. |
| files |
| changeset | f614176903d0 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix test; string for json object has extra space under python2. So compensate by comparing json parsed into objects and compensate with a different content-length between py2 and py3.. |
| files |
| changeset | 1181157d7cec |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Refactor rejecting requests; update tests, xfail test Added new Client::reject_request method. Deployed throughout handle_rest() method. Fix tests to compensate for consistent formatting of errors. Mark testRestOriginValidation test xfail. Code needed to implement it fully is only partly written. Tests for OPTIONS request on a bad attribute and valid and invalid origin tests added. |
| files |
| changeset | 9a1f5e496e6c |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551203 - Add support for CORS preflight request Add support for unauthenticated CORS preflight and fix headers for CORS. client.py: pass through unauthenticated CORS preflight to rest backend. Normal rest OPTION handlers (including tracker defined extensions) can see and handle the request. make some error cases return error json with crrect mime type rather than plain text tracebacks. create new functions to verify origin and referer that filter using allowed origins setting. remove tracker base url from error message is referer is not at an allowed origin. rest.py: fix up OPTION methods handlers to include Access-Control-Allow-Methods that are the same as the Allow header. set cache to one week for all Access-Control headers for CORS preflight only. remove self.client.setHeader("Access-Control-Allow-Origin", "*") and set Access-Control-Allow-Origin to the client supplied origin if it passes allowed origin checks. Required for CORS otherwise data isn't available to caller. Set for all responses. set Vary header now includes Origin as responses can differ based on Origin for all responses. set Access-Control-Allow-Credentials to true on all responses. test_liveserver.py: run server with setting to enforce origin csrf header check run server with setting to enforce x-requested-with csrf header check run server with setting for allowed_api_origins requests now set required csrf headers test preflight request on collections check new headers and Origin is no longer '*' rewrite all compression checks to use a single method with argument to use different compression methods. Reduce a lot of code duplication and makes updating for new headers easier. test_cgi: test new error messages in client.py account for new headers test preflight and new code paths |
| files |
| changeset | ab2ed11c021e |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551205: Add support for specifying valid origins for api: xmlrpc/rest We now have an allow list to filter the hosts allowed to do api requests. An element of this allow list must match the http ORIGIN header exactly or the rest/xmlrpc CORS request will result in an error. The tracker host is always allowed to do a request. |
| files |
| changeset | da6c9050a79e |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Ralf Schlatterbeck <rsc@runtux.com> |
| description | Fix modification of Cache_Control The previous code modified the Cache_Control dictionary in the Client class (in one of the cgi tests) which made a later test in test_liveserver fail |
| files |
| changeset | 154f286061e2 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Add date column to CSV output - test date display code. Test date formatting code. Uses date.Date mock/override so creation date is reproducible. |
| files |
| changeset | 65336409738c |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Fix csv export with text search. test csv export Sqlite FTS syntax error |
| files |
| changeset | 39189dd94f2c |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551189 - increase size of words in full text index. Increased indexed word maxlength to 50 DB migration code is written and tests work. Restructured some tests to allow for code reuse. Docs. If this passes CI without errors 2551189 should be done. However, testing on my system generates errors. Encoding (indexer unicode russian unicode string invalid) and collation errors (utf8_bin not valid) when running under python2. No issues with python3 and I haven't changed code that should cause these since the last successful build in CI. So if this fails in CI we will have more checkins. |
| files |
| changeset | e70e2789bc2c |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551189 - increase text search maxlength This removes I think all the magic references to 25 and 30 (varchar size) and replaces them with references to maxlength or maxlength+5. I am not sure why the db column is 5 characters larger than the size of what should be the max size of a word, but I'll keep the buffer of 5 as making it 1/5 the size of maxlength makes less sense. Also added tests for fts search in templating which were missing. Added postgres, mysql and sqlite native indexing backends in which to test fts. Added fts test to native-fts as well to make sure it's working. I want to commit this now for CI. Todo: add test cases for the use of FTS in the csv output in actions.py. There is no test coverage of the match case there. change maxlength to a higher value (50) as requested in the ticket. Modify existing extremewords test cases to allow words > 25 and < 51 write code to migrate column sizes for mysql and postgresql to match maxlength I will roll this into the version 7 schema update that supports use of database fts support. |
| files |
| changeset | 91ab3e0ffcd0 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Summary: Add test cases for sqlite fts Add support for using the FTS5 full text query engine for sqlite. Also stubbed out some sections for adding postgresql FTS support as well. Added nee indexer type native-fts. It is not selected by default. The indexer=native is used if no indexer is set. This prevents an upgrade from seeming to wipe out the native index if upgraded and indexer=native is not explicitly set. Docs updated. Also changed section headers to sentence case for the current release notes. Indexing backend can control if the full text search phrase is broken into a list of words or passed intact. For backends with query languages (sqlite and can be enabled for whoosh and xapian) we do not want the phrase "tokenized" on whitespace. This also updates the rdbms database version to version 7 to add FTS table. I will be using the same version when I add postgresql. If somebody runs this version on postgresql, they will have to manually add the fts tables for postgresql if they want to use it. Added a new renderError method to client. This allows errors to be reported still using page.html rather than raw html. It also supports templates for any error code. If no template for the error code (e.g. 400) is found, the error in raw html with no page frame is shown. New IndexerQueryError exception to pass back message about query syntax errors. |
| files |
| changeset | ada96db8ec62 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Ignore blank lines when editing class via CSV |
| files |
| changeset | b35a50d02890 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Fix issue2551129 - Template not found return 500 and traceback Handle traceback caused when requested @template is not found. Moved scope of try to include call to self.selectTemplate. Patch provided by Cedric Krier. Additional patch to make this case return 400 error since it is a client caused error. Test case added. |
| files |
| changeset | f2c31f5ec50b |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Ralf Schlatterbeck <rsc@runtux.com> |
| description | Move mocknull from test to roundup/test |
| files |
| changeset | 58817c3bf471 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Ralf Schlatterbeck <rsc@runtux.com> |
| description | Fix roundup/test Move the test-detectors in tx_Source_detector.py to roundup/test for two reasons: It's used in the memorydb convenience functions and it may be useful in other tests. Make the prefix a paramter of the convenience functions to be usable in other tests. |
| files |
| changeset | bdcccd2b2141 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Replace http:....roundup-tracker.org with https. |
| files |
| changeset | 15fd91fd3c4c |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Quote all exported CSV data Quote all non-numeric data in csv export functions. Report that a title like '=a2+b3' could be interpreted as a function in Excel and executed. csv.writer now includes quoting=csv.QUOTE_NONNUMERIC to generate quoted values for all fields. This should make the string starting with = be interpreted as a string and not a formula. |
| files |
| changeset | f74d078cfd9a |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Christof Meerwald <cmeerw@cmeerw.org> |
| description | issue2551019 needs to be handled in the action code itself, not the WSGI handler for Python 3 we always need to encode the output in the client character set |
| files |
| changeset | 54d0080769f9 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Support setting cache-control headers for static files Control how to cache static files. Can control by mime type or filename. Needs to use interfaces.py mechanism to configure. See customization.txt file in the interfaces.py section. Also added docs for using interfacs.py and a few examples. |
| files |
| changeset | fefdf5f97c50 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Clean up SENDMAILDEBUG in test case. |
| files |
| changeset | 71c68961d9f4 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | - issue2550920 - Optionally detect duplicate username at registration. Added config option to allow detection of duplicate username when the user tries to register. Previously user was rejected when dupliate name found at confirmation step. Optional as it can make username guessing easier. Testing is in place for this. Also attempted to make the unfriendly error message: 'node with key "username" exists' into a translatable friendly error: "Username 'username' already exists." This is missing any test. It is also fragile as I capture the ValueError exception and see that the exception matches: 'node with key "username" exists' If it does reassert the friendly message. Otherwise just re-raise existing exception. If the "node with key..." message is translated the friendly override will not trigger. |
| files |
| changeset | fe334430ca07 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2550919 - Anti-bot signup using 4 second delay Took the code by erik forsberg and massaged it into the core. So this is no longer needed in the tracker. Updated devel and responsive trackers to remove timestamp.py and update input field name. Docs, changes and tests complete. Hopefully these tracker changes won't cause an issue for other tests. |
| files |
| changeset | b40059d7036f |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2550925 strip HTTP_PROXY environment variable if deployed as CGI and client sends an http PROXY header, the tainted HTTP_PROXY environment variable is created. It can affect calls using requests package or curl. A roundup admin would have to write detectors/extensions that use these mechanisms. Not exploitable in default config. See: https://httpoxy.org/ |
| files |
| changeset | 26cd8e8bbed3 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Change microcopy for missing csrf to follow mismatched csrf. Fix tests. |
| files |
| changeset | bd6d41f21a5a |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | More extensive EditCSV testing. Uses test object to cover all types defined by database. Also check for an error with a row that's too short. CSV starts with blank line to verify that it recognises header line. Changes password, date, int, link and other fields. Deletes row and verified that it is retired. Make actions.py properly handle emptying of password field. |
| files |
| changeset | 39a5f40ae4d4 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Extra test of < and > inside quotes. |
| files |
| changeset | 95a366d46065 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Replace deprecated assertEquals with assertEqual and failUnlessRaises with assertRaises. |
| files |
| changeset | 68b0c1767b50 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Replace assertEquals (depricated) with assertEqual. |
| files |
| changeset | 3f00269f3297 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Got an xpass on testPasswordMigration, so removing xfail marker. Not sure what got fixed, but travis is reporting the same. |
| files |
| changeset | abb9fdb02228 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Mark the failing test I deactivated as xfail to make it easier for people to run the test and try to debug it. |
| files |
| changeset | 071625b5b7c0 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Deactivate failing test till I can get somebody to look at it. I want the code coverage stats to look at for my changes and I can't get that while tests are failing. This test loops over 4 depricated encryption schemes. It looks like it fails on whatever encryption item is in the third location. When looking at the action code, it looks like on the third iteration, it is getting the replacement properly encrypted string, so it doesn't do a change to the database. However the test harness is still seeing the badly encrypted string. I don't know is there is a cache issue or something here. |
| files |
| changeset | 92c1864d5dd2 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Add test for @pretty=false format change. |
| files |
| changeset | f90a534cb112 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Change output comparison from strings to comparison on python dicts. String representation of the json data had fields in different order causing failure for python3 compared to python2. |
| files |
| changeset | b1ab8bd18e79 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Adding tests for csrf protection for rest. Also test disabling of pretty printing. |
| files |
| changeset | 9689d1bf9bb0 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | python2/python3 normalization. When exporting CSV, sort lists as they are ordered differently in python3 vs python2. Also python 3 list element order seems to not be stable/repeatable between runs. Sometimes the tests would pass sometimes they wouldn't. |
| files |
| changeset | f8893e1cde0d |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | assert_ is depricated. Replacing with assertTrue to reduce logs in travisci. |
| files |
| changeset | 8e3df461d316 |
|---|---|
| branch | maint-1.6 |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551023: Fix CSRF headers for use with wsgi and cgi. The env variable array used - separators rather than _. Compare: HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is correct. Also fix roundup-server to produce the latter form. (Patch by Cédric Krier) |
| files |
| changeset | b3618882f906 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551023: Fix CSRF headers for use with wsgi and cgi. The env variable array used - separators rather than _. Compare: HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is correct. Also fix roundup-server to produce the latter form. (Patch by Cédric Krier) |
| files |
| changeset | be99aa02c616 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2550833 enhance the export csv action to include the keys for liked items rather than id's. So for nosy list display usernames and not numbers. The original code was renamed and also made available. See change document. |
| files |